Signal K Server is a server application that runs on a central hub in a boat. [CVSS 6.3 MEDIUM]
A vulnerability was identified in code-projects Online Guitar Store 1.0. Affected by this issue is some unknown functionality of the file /login.php. [CVSS 7.3 HIGH]
A vulnerability was found in code-projects Online Guitar Store 1.0. Affected is an unknown function of the file /admin/Create_product.php. [CVSS 7.3 HIGH]
A vulnerability has been found in code-projects Online Guitar Store 1.0. This impacts an unknown function of the file /admin/Create_category.php. [CVSS 7.3 HIGH]
SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /student/index.php enables unauthenticated remote attackers to query or manipulate the database. Public exploit code exists for this vulnerability, and no patch is currently available, leaving all installations at risk.
Online Guitar Store versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).
Signal K Server is a server application that runs on a central hub in a boat. [CVSS 5.3 MEDIUM]
A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function. [CVSS 4.3 MEDIUM]
Release of Invalid Pointer or Reference vulnerability was discovered in fs/inode/fs_inoderemove code of the Apache NuttX RTOS that allowed root filesystem inode removal leading to a debug assert trigger (that is disabled by default), NULL pointer dereference (handled differently depending on the target architecture), or in general, a Denial of Service. [CVSS 6.5 MEDIUM]
The WP Import - Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. [CVSS 6.4 MEDIUM]
Eopkg package manager versions before 4.4.0 fail to enforce the --destdir installation path, allowing malicious packages to write files to arbitrary locations on the host filesystem. An attacker can exploit this by distributing a compromised package that bypasses the intended installation directory, potentially overwriting system files or placing malicious content outside the sandboxed installation path. Users are only at risk if installing packages from untrusted or compromised sources; Solus repository packages are unaffected.
Eopkg package manager versions before 4.4.0 fail to track files included in malicious packages, allowing undetected file installation when users install from compromised sources. An attacker can distribute packages containing hidden files that evade detection by package management tools like lseopkg. Users installing exclusively from official Solus repositories are unaffected.
The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet. [CVSS 5.3 MEDIUM]
In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists. [CVSS 5.3 MEDIUM]
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). [CVSS 4.9 MEDIUM]
The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. [CVSS 4.3 MEDIUM]